The most well-known security story SharePoint folks are hearing these days is the statement of Keith Alexander – the director of the National Security Agency (NSA) and also the Commander of U.S. Cyber Command. According to U.S. Department of Defense, Alexander said that the leaker working in NSA Hawaii was a system administrator who was authorized to leaked information that was stored on the SharePoint servers. Although he didn’t blame directly the use of Microsoft SharePoint products and technologies, the statement apparently awakes lots of companies that are using SharePoint as a collaborative business platform to the perception of information security. Watch the interview between Keith Alexander and Pete Williams, Chief Justice Correspondent, NBC News below.
- Intranet Collaboration Security in SharePoint – Part 1 (You are here)
- Intranet Collaboration Security in SharePoint – Part 2
- Intranet Collaboration Security in SharePoint – Part 3
Daily activities on SharePoint is to create document, share information and work collaboratively. Shared documents may contain intellectual property, financial report, confidential employee information, business result or so on. Imagine if any of these kinds of information are compromised to your company’s competitors someday, it will probably devastate the company’s business. The compromising would debase your company reputation.
I’ve been recently involved in a SharePoint disaster recovery project in which I had to recovery data after many computers and SharePoint servers were corrupted by a programmatically virus. To tell the truth, the reputation of this company is losing due to the attack. Obviously we all see that shareholders, stocks or financial-related stuffs in this company are strongly impacted. Another SharePoint security-intensive project I’ve done is to audit and harden a hosting SharePoint environment for an airport. In this project, I got to fix many misconfiguration and security breaches inside the SharePoint farm.
I think there is something I need myself to write to keep my brain more active in the field. That’s why I’ve come to a decision with a series of intranet collaboration security in the SharePoint platform. This series doesn’t cover in-depth security stuffs such as an explanation to cryptographic algorithm or the security mechanism of a specific SharePoint customization. Instead, it does focus on information security in your SharePoint intranet, mostly documents containing sensitive information. When it comes to SharePoint security, I’d consider the following areas:
- Infrastructure & System: it includes Windows Server Operating System that is required before SharePoint deployment, IIS web server that is responsible for authentication and web services, and network devices e.g. firewall, reverse proxy.
- Application: this includes configurations in your SharePoint farm, for example the configuration of Service account, application pool identity, Web part configuration. This may include customization or 3rd add-in for SharePoint.
- Database: SharePoint content databases that contain shared sensitive documents; lists are stored in SQL Server.
- Content: almost documents people share and work everyday. They need to be systematically controlled and protected from unauthorized users and threats from the Internet.
- Compliance: to build a strong perimeter and an accurate security baseline, companies need to meet regulatory compliance. The compliance can be internally developed to meet specific security needs, or followed by international standards such as PCI DSS (Payment Card Industry Data Security Standard), SOX (Sarbanes-Oxley Act), HIPPA (Health Insurance Portability and Accountability Act)…Etc.
This article is just a summary of what I’m going to write by my experiences through many SharePoint projects I’ve done. Most of them included security requirements in which various SharePoint components must be protected.
I do hope this series help companies in terms of security plan for SharePoint to avoid information leakage as much as possible. It would be a small companion book in your pocket.